Feature #1904
closedmod_secdownload option to include url GET parameters in md5
Description
I am using lighttpd secure_download to restrict access to multimedia files (images and videos) to registered members to a website. However I needed to include the get parameters in the md5 hash to protect mod_flv_streaming type of URLs (http://someserver.com/some_video.flv?start=1234).
I wrote some code to support this. The string to be hashed is:
<secret><rel-path><timestamp-hex><parameters-string>
where parameters-string is for exemple "start=1234", or "start=1234&id=4321"
The following option can be used in lighttpd config file to activate this behaviour (which is disabled by default):
secdownload.md5-params = "enable"
An exemple of a generated URL:
http://206.125.164.199/dl/884101a561c305c29571d32461257528/499ad324/V12491_full_vp6_1000.flv?start=0&end=30
If a user try to alter the parameters (ie: start=0&end=120) or to remove them, mod_secdownload will return a 403 error.
I included a diff file to that issue report and I would greatly appreciate I you could consider using this patch in a future release.
Thanks!
Mathieu
Files
Updated by mimbert over 15 years ago
- File securedownload.diff securedownload.diff added
Updated by wolpert over 12 years ago
Is there any progress with this patch? Is this known to work? I have the same needs now...
Updated by mimbert over 12 years ago
Wolpert, I've been using this patch for 3 years now. So if they don't include it in a release, I suggest you use my diff and compile your own version...
Updated by stbuehler over 12 years ago
- Target version set to 1.4.x
- Missing in 1.5.x set to No
1.4.x is sort of "stable", so feature requests are not a priority. And if the target version isn't set i don't see them in the roadmap, so they get lost pretty fast :)
The patch itself looks fine apart from one detail: imho the "?" should be part of the md5 too (con->uri.query starts after the "?").
Updated by mimbert over 12 years ago
Good point. I considered the '?' as a simple separator and did not include it in the signature, so in my opinion the param should only be key1=val1&key2=val2... Furthermore the signing is done in PHP and the $_SERVER['QUERY_STRING'] doesn't include the '?'.
Updated by wolpert over 12 years ago
I could use either method for the md5 myself. I'd rather keep query params attached to the md5 the way you would a path_info param... but I have no legacy code to work with here. (FWIW, My client usage will be in Java)
Updated by gstrauss almost 8 years ago
- Subject changed from mod_secure_download option to include url GET parameters in md5 to mod_secdownload option to include url GET parameters in md5
- Status changed from New to Need Feedback
- Priority changed from Normal to Low
Is this feature request still desirable?
In the intervening year, additional algorithms have been added to mod_secdownload which are more tamper resistant than MD5: HMAC-SHA1 and HMAC-SHA256
Even if using MD5, arbitrary validation could be accomplished using a FastCGI authorizer in lieu of mod_secdownload, allowing the creation of the keys to be collocated with the code which validates the keys, instead of trying to extend mod_secdownload in a variety of ways.
Updated by gstrauss almost 8 years ago
- Related to Feature #646: secdownload.path_elements support added
Updated by gstrauss almost 8 years ago
- Status changed from Need Feedback to Patch Pending
- Target version changed from 1.4.x to 1.4.45
Updated by gstrauss almost 8 years ago
- Target version changed from 1.4.45 to 1.4.46
Updated by gstrauss over 7 years ago
- Status changed from Patch Pending to Fixed
- % Done changed from 0 to 100
Applied in changeset afce434e0b0ee517fef06cf32d3f9de25ceddc14.
Also available in: Atom